[Openid-specs-ab] Use new jwks registration parameter to provision keys to clients?

Torsten Lodderstedt torsten at lodderstedt.net
Fri Nov 22 06:25:49 UTC 2013

Hi Vladimir,

Brian, Justin and I discussed such an option in Vancouver. As far as I remember, we came to the same conclusion. Although it is not puristic security practice, it seem to be convenient for developers.


Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com> schrieb:
>Hi guys,
>Ticket #903 that Nat posted calls for a new jwks parameter to enable
>native clients to register their public keys directly with the
>What do you think of allowing this parameter to also be used as simple
>mean to provision clients with keys generated by the provider? Do you
>see any problems with that? I find this a very attractive option for a
>use case that we face. Currently there's no standard OIDC way to
>provision keys to clients when they register.
>It could work like this:
>The client sends a registration request that implies use of an
>asymmetric key (e.g. JWT private key auth, or signed requests) but
>doesn't provide any jwks_url or jwks parameter. In that case the server
>generates a key pair and returns it with the jwks parameter in the
>response JSON.
>Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131122/8e7b7c32/attachment.html>

More information about the Openid-specs-ab mailing list